<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width">
<meta name="theme-color" content="#222"><meta name="generator" content="Hexo 6.3.0">

  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.2.1/css/all.min.css" integrity="sha256-Z1K5uhUaJXA7Ll0XrZ/0JhX4lAtZFpT6jkKrEDT0drU=" crossorigin="anonymous">
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/animate.css/3.1.1/animate.min.css" integrity="sha256-PR7ttpcvz8qrF57fur/yAx1qXMFJeJFiA6pSzWi0OIE=" crossorigin="anonymous">

<script class="next-config" data-name="main" type="application/json">{"hostname":"example.com","root":"/","images":"/images","scheme":"Muse","darkmode":false,"version":"8.14.1","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":{"enable":false,"style":null},"bookmark":{"enable":false,"color":"#222","save":"auto"},"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"stickytabs":false,"motion":{"enable":true,"async":false,"transition":{"menu_item":"fadeInDown","post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"},"path":"/search.xml","localsearch":{"enable":true,"trigger":"auto","top_n_per_article":-1,"unescape":false,"preload":false}}</script><script src="/js/config.js"></script>

    <meta name="description" content="ssh公钥私钥原理主要有两种登录方式：第一种为密码口令登录，第二种为公钥登录 一、密码登录整个过程是这样的：  远程主机收到用户的登录请求，把自己的公钥发给用户。  用户使用这个公钥，将登录密码加密后，发送到远程主机。（客户端输入密码的过程）  远程主机用自己的私钥，解密登录密码，如果密码正确，就同意用户登录。   这个过程本身是安全的，但是实施的时候存在一个风险：如果有人截获了登录请求，然后冒充">
<meta property="og:type" content="article">
<meta property="og:title" content="ssh公钥私钥原理">
<meta property="og:url" content="http://example.com/2022/05/02/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/index.html">
<meta property="og:site_name" content="JsyBlog">
<meta property="og:description" content="ssh公钥私钥原理主要有两种登录方式：第一种为密码口令登录，第二种为公钥登录 一、密码登录整个过程是这样的：  远程主机收到用户的登录请求，把自己的公钥发给用户。  用户使用这个公钥，将登录密码加密后，发送到远程主机。（客户端输入密码的过程）  远程主机用自己的私钥，解密登录密码，如果密码正确，就同意用户登录。   这个过程本身是安全的，但是实施的时候存在一个风险：如果有人截获了登录请求，然后冒充">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="http://example.com/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%861.png">
<meta property="article:published_time" content="2022-05-02T03:12:14.000Z">
<meta property="article:modified_time" content="2022-05-02T07:51:03.925Z">
<meta property="article:author" content="SongyangJi">
<meta property="article:tag" content="安全">
<meta property="article:tag" content="ssh">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http://example.com/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%861.png">


<link rel="canonical" href="http://example.com/2022/05/02/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/">



<script class="next-config" data-name="page" type="application/json">{"sidebar":"","isHome":false,"isPost":true,"lang":"zh-CN","comments":true,"permalink":"http://example.com/2022/05/02/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/","path":"2022/05/02/ssh公钥私钥原理/","title":"ssh公钥私钥原理"}</script>

<script class="next-config" data-name="calendar" type="application/json">""</script>
<title>ssh公钥私钥原理 | JsyBlog</title>
  








  <noscript>
    <link rel="stylesheet" href="/css/noscript.css">
  </noscript>
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <div class="column">
      <header class="header" itemscope itemtype="http://schema.org/WPHeader"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <p class="site-title">JsyBlog</p>
      <i class="logo-line"></i>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger" aria-label="搜索" role="button">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu"><li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a></li><li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a></li><li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a></li><li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a></li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup"><div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off" maxlength="80"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close" role="button">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div class="search-result-container no-result">
  <div class="search-result-icon">
    <i class="fa fa-spinner fa-pulse fa-5x"></i>
  </div>
</div>

    </div>
  </div>

</header>
        
  
  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86"><span class="nav-number">1.</span> <span class="nav-text">ssh公钥私钥原理</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%B8%80%E3%80%81%E5%AF%86%E7%A0%81%E7%99%BB%E5%BD%95"><span class="nav-number">1.1.</span> <span class="nav-text">一、密码登录</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E4%BA%8C%E3%80%81%E5%85%AC%E9%92%A5%E7%99%BB%E5%BD%95"><span class="nav-number">1.2.</span> <span class="nav-text">二、公钥登录</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E5%85%AC%E9%92%A5%E5%92%8C%E7%A7%81%E9%92%A5"><span class="nav-number">1.2.1.</span> <span class="nav-text">公钥和私钥</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#RSA%E7%AE%97%E6%B3%95%E7%9A%84%E4%BD%9C%E7%94%A8"><span class="nav-number">1.2.2.</span> <span class="nav-text">RSA算法的作用</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#1%E3%80%81%E5%8A%A0%E5%AF%86%EF%BC%9A%E5%85%AC%E9%92%A5%E5%8A%A0%E5%AF%86%E7%A7%81%E9%92%A5%E8%A7%A3%E5%AF%86"><span class="nav-number">1.2.2.1.</span> <span class="nav-text">1、加密：公钥加密私钥解密</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#2%E3%80%81%E8%AE%A4%E8%AF%81%EF%BC%9A%E7%A7%81%E9%92%A5%E5%8A%A0%E5%AF%86%E5%85%AC%E9%92%A5%E8%A7%A3%E5%AF%86"><span class="nav-number">1.2.2.2.</span> <span class="nav-text">2、认证：私钥加密公钥解密</span></a></li></ol></li></ol></li></ol></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">SongyangJi</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
        <a href="/archives/">
          <span class="site-state-item-count">251</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
          <a href="/categories/">
        <span class="site-state-item-count">45</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
          <a href="/tags/">
        <span class="site-state-item-count">109</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>

        </div>
      </div>
    </div>

    
  </aside>


    </div>

    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://example.com/2022/05/02/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="SongyangJi">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="JsyBlog">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="post" itemscope itemtype="http://schema.org/CreativeWork">
      <meta itemprop="name" content="ssh公钥私钥原理 | JsyBlog">
      <meta itemprop="description" content="">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          ssh公钥私钥原理
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>
      

      <time title="创建时间：2022-05-02 11:12:14 / 修改时间：15:51:03" itemprop="dateCreated datePublished" datetime="2022-05-02T11:12:14+08:00">2022-05-02</time>
    </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">分类于</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%BD%91%E7%BB%9C/" itemprop="url" rel="index"><span itemprop="name">计算机网络</span></a>
        </span>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h1 id="ssh公钥私钥原理"><a href="#ssh公钥私钥原理" class="headerlink" title="ssh公钥私钥原理"></a>ssh公钥私钥原理</h1><p>主要有两种登录方式：第一种为密码口令登录，第二种为公钥登录</p>
<h2 id="一、密码登录"><a href="#一、密码登录" class="headerlink" title="一、密码登录"></a>一、密码登录</h2><p>整个过程是这样的：</p>
<ol>
<li><p>远程主机收到用户的登录请求，把自己的公钥发给用户。</p>
</li>
<li><p>用户使用这个公钥，将登录密码加密后，发送到远程主机。（客户端输入密码的过程）</p>
</li>
<li><p>远程主机用自己的私钥，解密登录密码，如果密码正确，就同意用户登录。</p>
</li>
</ol>
<p>这个过程本身是安全的，但是实施的时候存在一个风险：<strong>如果有人截获了登录请求，然后冒充远程主机，将伪造的公钥发给用户，那么用户很难辨别真伪。因为不像https协议，SSH协议的公钥是没有证书中心（CA）公证的，也就是说，都是自己签发的。</strong></p>
<p>如果你是第一次登录对方主机，系统会出现下面的提示：</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta prompt_">　$ </span><span class="language-bash">``ssh` `user@host` `The authenticity of host ``<span class="string">&#x27;host (12.18.429.21)&#x27;</span>` `can<span class="string">&#x27;t be established.` `RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d.` `Are you sure you want to ``continue` `connecting (``yes``/no``)?</span></span></span><br></pre></td></tr></table></figure>

<p>这段话的意思是，无法确认host主机的真实性，只知道它的公钥指纹，问你还想继续连接吗？</p>
<p>所谓<strong>公钥指纹</strong>，是指公钥长度较长（这里采用RSA算法，长达1024位），很难比对，所以对其进行MD5计算，将它变成一个128位的指纹。上例中是<code>98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d</code>，再进行比较，就容易多了。</p>
<p>很自然的一个问题就是，用户怎么知道远程主机的公钥指纹应该是多少？回答是没有好办法，<strong>远程主机必须在自己的网站上贴出公钥指纹，以便用户自行核对。假定经过风险衡量以后，用户决定接受这个远程主机的公钥。</strong></p>
<p>当远程主机的公钥被接受以后，它就会被保存在文件<code>$HOME/.ssh/known_hosts</code>之中。下次再连接这台主机，系统就会认出它的公钥已经保存在本地了，从而跳过警告部分，直接提示输入密码。</p>
<p>每个SSH用户都有自己的known_hosts文件，此外系统也有一个这样的文件，通常是&#x2F;etc&#x2F;ssh&#x2F;ssh_known_hosts，保存一些对所有用户都可信赖的远程主机的公钥。</p>
<h2 id="二、公钥登录"><a href="#二、公钥登录" class="headerlink" title="二、公钥登录"></a>二、公钥登录</h2><p><strong>公钥登录是为了解决每次登录服务器都要输入密码的问题，流行使用RSA加密方案</strong>，主要流程包含：</p>
<ol>
<li>客户端生成RSA公钥和私钥（其实在哪生成是无所谓的）</li>
<li>客户端将自己的公钥存放到服务器（如果是服务端生成，则将）</li>
<li>客户端请求连接服务器，服务器将一个随机字符串发送给客户端（发送一个随机串）</li>
<li>客户端根据自己的私钥加密这个随机字符串之后再发送给服务器（客户端私钥加密）</li>
<li>服务器接受到加密后的字符串之后用公钥解密，如果正确就让客户端登录，否则拒绝。这样就不用使用密码了。</li>
</ol>
<p><img src="/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%86/ssh%E5%85%AC%E9%92%A5%E7%A7%81%E9%92%A5%E5%8E%9F%E7%90%861.png" alt="img"></p>
<h3 id="公钥和私钥"><a href="#公钥和私钥" class="headerlink" title="公钥和私钥"></a>公钥和私钥</h3><p>一个公钥对应一个私钥。密钥对中，让大家都知道的是公钥，不告诉大家，只有自己知道的，是私钥。</p>
<ol>
<li>私钥用来进行解密和签名，是给自己用的。</li>
<li>公钥由本人公开，用于加密和验证签名，是给别人用的。</li>
<li>当该用户发送信息时，用私钥签名，别人用他给的公钥验证签名，可以保证该信息是由自己发送的（保证信息的不可篡改）；当该用户接受信息时，别人用他的公钥加密，他用私钥解密，可以保证该信息只能由他接收到（保证信息的私密性）。</li>
</ol>
<h3 id="RSA算法的作用"><a href="#RSA算法的作用" class="headerlink" title="RSA算法的作用"></a>RSA算法的作用</h3><h4 id="1、加密：公钥加密私钥解密"><a href="#1、加密：公钥加密私钥解密" class="headerlink" title="1、加密：公钥加密私钥解密"></a>1、加密：公钥加密私钥解密</h4><p>　　<strong>主要用于将数据资料加密不被其他人非法获取，保证数据私密性。</strong>使用公钥将数据资料加密，只有私钥可以解密。即使密文在网络上被第三方获取由于没有私钥则无法解密。从而保证数据安全性。　　　　　</p>
<ol>
<li>A在自己电脑上生成RSA钥匙文件，一个私钥文件一个公钥文件，并将他的公钥传送给B；</li>
<li>此时B要传送信息给A，于是B用A的公钥加密他的消息，然后传送给A。【网络上传输的密文，没有A的私钥无法解密，其他人获取之后也没用】；</li>
<li>A用他的私钥解密B的消息。</li>
</ol>
<h4 id="2、认证：私钥加密公钥解密"><a href="#2、认证：私钥加密公钥解密" class="headerlink" title="2、认证：私钥加密公钥解密"></a>2、认证：私钥加密公钥解密</h4><p>主要用于身份验证，判断某个身份的真实性。<strong>使用私钥加密之后，用对应的公钥解密从而验证身份真实性。</strong></p>
<p>比如【服务端S】要验证【客户端C】是否是真实用户：</p>
<ol>
<li>C将自己公钥给S；</li>
<li>C将信息用自己私钥加密传送给S；</li>
<li>S根据C的公钥解密，如果成功则为真实身份用户。</li>
</ol>
<p><strong>SSH公钥登录则用的是第二种功能。</strong></p>
<blockquote>
<p>安全性： 这种算法非常可靠，密钥越长，它就越难破解。根据已经披露的文献，目前被破解的最长RSA密钥是768个二进制位。也就是说，长度超过768位的密钥，还无法破解（至少没人公开宣布）。因此可以认为，1024位的RSA密钥基本安全，2048位的密钥极其安全。所以我们在用ssh-keygen命令时候要注意密钥长度，具体参数为：<code>-b bits</code>（指定密钥长度。对于RSA密钥，最小要求768位，默认是2048位。DSA密钥必须恰好是1024位(FIPS 186-2 标准的要求)。）<br>至少不能少于768。一般不用写默认就是2048了。</p>
</blockquote>
<p>注意：ssh 和 https 协议的区别，ssh 没有CA认证中心的概念。</p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/%E5%AE%89%E5%85%A8/" rel="tag"># 安全</a>
              <a href="/tags/ssh/" rel="tag"># ssh</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2022/04/26/ulimit/" rel="prev" title="ulimit">
                  <i class="fa fa-chevron-left"></i> ulimit
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2022/05/02/linux%E6%9F%A5%E7%9C%8B%E7%A1%AC%E4%BB%B6%E3%80%81%E7%B3%BB%E7%BB%9F%E4%BF%A1%E6%81%AF/" rel="next" title="Linux查看系统信息——内存、CPU、磁盘">
                  Linux查看系统信息——内存、CPU、磁盘 <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>






</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 
  <span itemprop="copyrightYear">2023</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">SongyangJi</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/muse/" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>
  <div class="sidebar-dimmer"></div>
  <div class="back-to-top" role="button" aria-label="返回顶部">
    <i class="fa fa-arrow-up fa-lg"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


  
  <script src="https://cdnjs.cloudflare.com/ajax/libs/animejs/3.2.1/anime.min.js" integrity="sha256-XL2inqUJaslATFnHdJOi9GfQ60on8Wx1C2H8DYiN1xY=" crossorigin="anonymous"></script>
<script src="/js/comments.js"></script><script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/schemes/muse.js"></script><script src="/js/next-boot.js"></script>

  <script src="https://cdnjs.cloudflare.com/ajax/libs/hexo-generator-searchdb/1.4.1/search.js" integrity="sha256-1kfA5uHPf65M5cphT2dvymhkuyHPQp5A53EGZOnOLmc=" crossorigin="anonymous"></script>
<script src="/js/third-party/search/local-search.js"></script>





  





</body>
</html>
